[CRIU] [PATCH 1/3] ipc: Don't access data out of allocated slab

[Pavel Emelyanov]

On 09/04/2013 01:37 AM, Cyrill Gorcunov wrote:
> 
> We should zeroify all data actually for security
> reason but this aspect will be addressed in further
> patches.
> 
> Meanwhile at least allocate enought space so pb_write
> won't access data which is not allocated for us.
> 
> Signed-off-by: Cyrill Gorcunov <gorcunov at openvz.org>
> ---
>  ipc_ns.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 


> @@ -75,7 +75,7 @@ static int dump_ipc_sem_set(int fd, const IpcSemEntry *sem)
>  	u16 *values;
>  
>  	size = sizeof(u16) * sem->nsems;
> -	values = xmalloc(size);
> +	values = xmalloc(round_up(size, sizeof(u64)));

This round_up can be put into size = ..., since it's also rounded below.

>  	if (values == NULL) {
>  		pr_err("Failed to allocate memory for semaphore set values\n");
>  		ret = -ENOMEM;
> @@ -185,7 +185,7 @@ static int dump_ipc_msg_queue_messages(int fd, const IpcMsgEntry *msq,
>  	}
>  
>  	msgmax += sizeof(struct msgbuf);
> -	message = xmalloc(msgmax);
> +	message = xmalloc(round_up(msgmax, sizeof(u64)));

This looks useless, as nobody tries to access more than msgmax bytes below.

>  	if (message == NULL) {
>  		pr_err("Failed to allocate memory for IPC message\n");
>  		return -ENOMEM;
> @@ -472,7 +472,7 @@ void ipc_sem_handler(int fd, void *obj)
>  
>  	pr_msg("\n");
>  	size = sizeof(u16) * e->nsems;
> -	values = xmalloc(size);
> +	values = xmalloc(round_up(size, sizeof(u64)));

This round_up can be put into size = ... line as well.

>  	if (values == NULL)
>  		return;
>  	if (read_img_buf(fd, values, round_up(size, sizeof(u64))) <= 0) {